Earlier this week Symantec researchers stumbled across a privacy concern with Facebook’s official Android app which once again puts into question if the social network’s developers truly *get* security and privacy.
As Symantec describes on its blog, when its developers tested its new Norton Mobile Security product against some of the world’s most popular Android apps, they were disturbed to see a warning message claiming that the Facebook Android app leaks personal information without the device owner’s knowledge:
“The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.”
Following on from the revelation of an incredibly dangerous security flaw that could allow hackers to hijack any Facebook account just by sending an SMS message, and over six million users having their privacy breached, you have to wonder what is going on at Facebook.
Are things really that sloppy there?
The good news is that Facebook confirmed Symantec’s findings, and has said it will fix the problem in the next version of its Android app. Furthermore, the social network says that it does not use or process the phone numbers it has been receiving, and has deleted them from its servers.
Well done to Symantec for uncovering this serious privacy flaw in Facebook’s code. That’s a great advert for the new version of the firm’s mobile security product.
Facebook might be wise to run tools like Symantec’s over future versions of its smartphone apps, before it pushes them out to millions of users - just in case there are other unexpected privacy holes that could prove embarrassing.
If you are on Facebook, and want to be kept up to date on the latest privacy and security risks threatening users, be sure to Like the “Graham Cluley Security News” Facebook page.
Hat-tip: The Next Web.
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded: